Publicly disclosed vulnerabilities known as Spectre and Meltdown affect many processors and operating systems in use today. According to reports, affected processors include Intel, AMD, and ARM. Also, according to reports, affected systems include Windows, Linux, Android, Chrome, iOS, and MacOS (including laptops, embedded devices, servers, clients, mobile phones, etc.).

You are encouraged to seek out guidance from the vendors of your respective systems. Many vendors, including Microsoft, have already released patches that significantly alter how their systems handle memory operations in order to protect against these disclosed vulnerabilities. Yet others are continuing to roll out such patches.

In addition, Microsoft has issued client and server guidance for IT professionals to protect against speculative execution side-channel vulnerabilities. (Please note: These pages from Microsoft also have information on a Powershell script that can be executed to confirm protections against these vulnerabilities. Additional mitigation information is also provided.)

In more detail, researchers have authored papers on Spectre (CVE-2017-5715 and CVE-2017-5053) and Meltdown (CVE-2017-5754) attacks. Proof of concept exploit code is available, which exploits these vulnerabilities. Proof of concept code is publicly available in languages including C++, JavaScript, and C. (Code can always be ported to other languages, of course. This point is mentioned to emphasize that the threat is real—i.e., the exploit code is publicly available.)

In describing the Meltdown vulnerability, researchers have characterized it as follows:

“Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. …Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer.”

Additionally, “Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary.”

On the positive side of things, the exploit code may be used to check whether or not a system is vulnerable. A demonstration of the Spectre attack on a vulnerable machine (a Linux virtual machine running on a Windows 7 platform) is as follows:

This exploit only took a few seconds to execute. Since the system is vulnerable, it outputted the following phrase: “The Magic Words are Squeamish Ossifrage.”

Finally, as a gentle reminder, Javascript exploits are available for both Spectre and Meltdown. Thus, the time to patch is now. You may also want to consider disabling or minimizing the use of JavaScript, to the extent this is feasible. Plug-ins exist to block JavaScript. (After all, client-side exploits are no fun when you are the unwitting victim.)